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Prepare a key pair for the card and place a unique PIN on the card by 
an initialization workstation for use on an administrator card for a 
user to unlock the card and have the certificate available 
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Deliver the card to an operations center that is responsible for 
establishing access control to the host system 
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Link the card with its PIN and key pair and create a certificate for 
the cardholder on a personalization system of the operations center 
with information provided in a request for the certificate for the 
cardholder 
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Receiving a request for the certificate by a registration authority 
(RA) in the system and sending the request to a certificate authority 
(CA) 
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Review the information and create and sign the certificate by the CA 
with a master certificate stored by a key management system (KMS) 
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Post a copy of the certificate to a lightweight directory assistance 
protocol (LDAP) directory for the CA and a card life cycle 
management systems (CCLCMS) in a location in which the basic 
log-in rights and access rights for the cardholder are identified to the 
CCLCMS 
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Distribute the card and PIN to the cardholder and through separate 
mechanisms for security 



FIG. 1 
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Store an encrypted private key for the certificate on a computer disk 
at a badging station within a secure environment 
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Allowing a user on the external system to request the certificate via 
the badging station in a dialog using keystore encryptokey 
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Send the user's request to the RA for review and approval of the 
request and generation of the certificate 



Log onto a card management system LDAP and create a log-on 
equivalent for the card management system by the RA and sending 
the request to the CA 
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Create the certificate by the CA 



Post the certificate to the LDAP directory 
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Send an email notice of the certificate to the user who created the 
certificate request on the system 



Allowing download and storage of the certificate in response to a 
request by the user 



Allow the external system to interact with the CCLCMS using the 
certificate 



FIG 2 
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^ Create a certificate for an external system via a personalization 
portal that interacts with the CCLCMS providing updates and 
changes to data that is maintained within the CCLCMS 
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Store the certificate for the system on a hardware storage module 
(HSM) 
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^ Create a key pair by the HSM in response to a request, storing a 
private key of the key pair, and delivering only a public key of the 
key pair external to the HSM 
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Send the public key with request information to the RA for review 
and approval 
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^ Create an entry in the LDAP for the user who created the certificate 
request on the system and send the request to the CA by the RA 
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Receive the request by the CA, verify that the request is complete, 
create the certificate, and send an email to the user confirming 
creation of the certificate 



S26 



Allowing download and storage of the certificate including only the 
public key on a computer disk in response to a request by the user 



FIG. 3 



